If you’re new to CMMC, the first thing you’ll notice is that everyone talks in acronyms. Your prime sends you a clause referencing DFARS 7012. Your consultant mentions CUI boundaries and SSPs. Your MSP says they’ll handle MFA through Conditional Access in Entra ID. And you’re sitting there nodding like you know what any of that means.
This page is a reference. It lists every term and acronym you’re likely to run into while preparing for a CMMC Level 2 assessment, defined in plain English. No NIST-speak. No copy-pasted federal definitions. Just what the term actually means and why you should care about it.
Bookmark it. Come back when someone says something you don’t recognize.
A
ATO (Authority to Operate) A formal approval from a federal agency saying your system is authorized to process their data. Most small contractors won’t deal with this directly. It comes up more in FedRAMP and large government IT environments. You might hear it referenced when people talk about cloud services being “authorized.”
B
Boundary (CUI Boundary / Assessment Boundary) The line you draw around which systems, people, and processes handle CUI. Everything inside the boundary is in scope for your CMMC assessment. Everything outside is not. Getting this right is the single most important scoping decision you’ll make. Draw it too wide and you’re protecting systems that don’t need it. Draw it too narrow and the assessor will find CUI outside your boundary, which is worse. See SC.L2-3.13.1 for how boundary protection works in practice.
C
C3PAO (Certified Third-Party Assessment Organization) The company that conducts your official CMMC assessment. They send assessors to evaluate whether your organization meets all 110 practices. You choose your C3PAO, schedule the assessment, and pay for it. Think of them as the auditor. They don’t help you prepare. They just evaluate what you have.
CISA (Cybersecurity and Infrastructure Security Agency) The federal agency that issues emergency cybersecurity directives. When CISA says “patch this now,” that means immediately, not within your normal patch cycle. Your patch policy should reference CISA directives as a trigger for emergency patching.
CIS Benchmarks (Center for Internet Security Benchmarks) Published configuration standards for hardening operating systems, browsers, and applications. They’re well-regarded in the industry but assessors haven’t been specifically asking about them in CMMC assessments. Having a standard build based on CIS is good practice, but the assessor cares more that you have a documented baseline you can demonstrate, whatever the source.
CMMC (Cybersecurity Maturity Model Certification) The Department of Defense’s framework for verifying that defense contractors protect controlled unclassified information. Level 1 is basic safeguarding (17 practices, self-assessed). Level 2 is the big one: 110 practices from NIST SP 800-171, verified by a third-party assessor. Level 3 is for the most sensitive programs and adds practices from NIST SP 800-172. If you’re reading this site, you almost certainly need Level 2.
Conditional Access A feature in Microsoft Entra ID that lets you set rules for how users access your systems. For example: “require MFA for all users” or “block sign-ins from outside the US.” This is how most organizations enforce MFA and access policies in Microsoft 365 and Azure environments. The assessor will ask to see your Conditional Access policies.
CUI (Controlled Unclassified Information) Government information that isn’t classified but still needs protection. Technical drawings, contract performance data, engineering specs, test results, export-controlled data. If it came from the government and has a CUI marking (or should have one), it’s CUI. Everything in CMMC Level 2 exists to protect this. If you don’t know what CUI you handle, start with Step 1 in the Start Here guide.
D
DFARS (Defense Federal Acquisition Regulation Supplement) The set of rules that govern defense contracts. DFARS clause 252.204-7012 is the one that requires you to protect CUI and report cyber incidents. This clause is why CMMC exists. If it’s in your contract, you need to comply.
DIBCNET (Defense Industrial Base Cybersecurity Network) The DoD portal where you report cyber incidents. DFARS 7012 requires you to report incidents involving CUI within 72 hours through this system. Your FSO or designated point of contact handles the actual reporting.
E
EDR (Endpoint Detection and Response) Software that monitors your computers and servers for malicious activity in real time. Goes beyond traditional antivirus by watching behavior, not just matching known virus signatures. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black are common examples. The assessor will ask to see your EDR console showing all endpoints are enrolled and protected. See SI.L2-3.14.2 for what the assessor checks.
Entra ID (formerly Azure Active Directory / Azure AD) Microsoft’s cloud identity service. It’s where your users, groups, permissions, and authentication policies live if you’re in a Microsoft 365 environment. Most small contractors on Microsoft 365 manage access control, MFA, and Conditional Access through Entra ID. The assessor will ask to see it.
F
FCI (Federal Contract Information) Information provided by or generated for the government under a contract that isn’t public. FCI is less sensitive than CUI. CMMC Level 1 covers FCI protection. If you only handle FCI and no CUI, you need Level 1, not Level 2.
FIDO2 (Fast Identity Online 2) A standard for hardware security keys (like YubiKeys) that provide phishing-resistant MFA. The user plugs in or taps a physical key instead of typing a code from their phone. Assessors haven’t been specifically asking about phishing-resistant MFA yet, but it’s the gold standard and where the industry is heading.
FIPS (Federal Information Processing Standards) Government standards for cryptography. FIPS 140-2 (and its successor FIPS 140-3) define approved encryption methods. When someone says “FIPS mode,” they mean configuring a device or system to only use government-approved encryption algorithms. Putting your firewalls in FIPS mode covers most of the encryption requirements for SC practices.
FSO (Facility Security Officer) The person at your company responsible for security clearances and classified information. For CMMC purposes, the FSO is usually the point of contact for incident reporting to DIBCNET and interface with the government on security matters. In a small company, this might be the owner or an admin person wearing multiple hats.
G
GCC High (Government Community Cloud High) Microsoft’s cloud environment built specifically for organizations handling CUI. It meets the FedRAMP High security baseline and DFARS 7012 requirements. If you’re a defense contractor on Microsoft 365, you should be on GCC High for anything touching CUI. Being in GCC High covers many encryption and data residency requirements naturally, but you still need to document how it meets each practice in your SSP.
I
Intune (Microsoft Intune) Microsoft’s cloud-based device management platform. It lets you push security policies, manage updates, deploy software, and enforce compliance on laptops, desktops, and mobile devices. Most small contractors in the Microsoft ecosystem use Intune to manage endpoints and prove device compliance to assessors.
IRP (Incident Response Plan) Your documented plan for what happens when a security incident occurs. Who gets called, what gets contained, how you investigate, how you recover, and how you report. The assessor will ask to see it and will ask pointed questions about whether you’ve tested it. See IR.L2-3.6.1 for what actually needs to be in it.
M
MDM (Mobile Device Management) Software that manages and secures mobile phones, tablets, and sometimes laptops. Intune is the most common MDM for Microsoft shops. The assessor cares that devices accessing your environment are managed and can have policies enforced on them.
MFA (Multi-Factor Authentication) Requiring two or more forms of proof before letting someone log in. Usually a password plus an authenticator app, phone call, or hardware key. If you only use passwords, you will fail your CMMC assessment. See IA.L2-3.5.2 for what the assessor checks and how to present your MFA configuration.
MSP (Managed Service Provider) A company you hire to manage your IT. They handle your network, your computers, your help desk. In a CMMC context, your MSP may own some of the controls being assessed. The assessor will want to understand who does what.
MSSP (Managed Security Service Provider) Like an MSP but focused on security operations. They run your SIEM, manage your EDR, respond to alerts, and often handle compliance program management. In the assessment room, a good MSSP presents evidence for the controls they operate and explains how they protect your environment. The best MSSPs have gone through CMMC assessment themselves.
N
NIST SP 800-171 (Special Publication 800-171) The NIST document that defines the 110 security practices for protecting CUI. CMMC Level 2 maps directly to NIST 800-171 Revision 2. When someone says “NIST 800-171 controls,” they mean the same practices your CMMC assessment covers. The document itself is free and public, but it reads like it was written by committee (because it was).
P
POA&M (Plan of Action and Milestones) A tracking document for security gaps you know about but haven’t fixed yet. Each entry describes the gap, what you plan to do about it, who’s responsible, and when it will be done. The assessor expects to see a POA&M if you have open items. Having gaps isn’t automatically a failure. Having gaps with no plan to fix them is.
R
RMM (Remote Monitoring and Management) Software that lets your IT team (or MSP) remotely access, monitor, and manage your computers. ConnectWise, Datto, NinjaRMM, and similar tools. The assessor may ask about who has RMM access to your systems and how that access is controlled. See MA.L2-3.7.1 for how maintenance access gets evaluated.
S
SIEM (Security Information and Event Management) A system that collects logs from across your environment (firewalls, servers, endpoints, cloud services) and lets you search, correlate, and alert on them. Microsoft Sentinel, Splunk, and AlienVault are common examples. The assessor will ask who reviews SIEM alerts, how often, and what happens when something fires. See AU.L2-3.3.1 for audit logging requirements.
SOC (Security Operations Center) The team that monitors your security alerts and responds to threats. For small contractors, this is almost always outsourced to your MSSP. The SOC watches your SIEM, investigates alerts, and takes action when something is wrong. The assessor will want to understand the handoff between the SOC and your organization.
SSP (System Security Plan) The most important document in your CMMC assessment. It describes, practice by practice, how your organization meets each of the 110 requirements. The assessor reads it before the assessment and uses it as a roadmap for what to verify. If your SSP says “we do X,” the assessor will ask you to demonstrate X. Write it carefully. See CA.L2-3.12.4 for what makes an SSP work.
T
TTX (Tabletop Exercise) A walkthrough of a security scenario (ransomware attack, data breach, insider threat) where your team talks through what they would do step by step. No systems are actually tested. You’re just talking through the plan. The assessor will ask whether you’ve conducted one and what you learned from it. At least annually.
W
WSUS (Windows Server Update Services) Microsoft’s on-premises tool for managing Windows updates. If you’re not using Intune or a cloud-based patch management tool, WSUS is how you push patches to your systems. Less common now that most environments have moved to cloud management, but some organizations still use it, especially for servers that aren’t Intune-enrolled.
Missing a term? Something on the site that didn’t make sense? Let me know and I’ll add it.